Cuts Hit Cyber Drills, Security Programs, Napolitano Says

March 7 (Bloomberg) -- The Department of Homeland Security
will delay an intrusion detection program to protect U.S.
government computers from cyber-attacks and has canceled
cybersecurity exercises, Secretary Janet Napolitano said today.

Across-the-board budget cuts known as sequestration are
also slowing the agency’s ability to fill vacancies in cyber
incident response teams and disrupting the government’s broad
efforts to boost cybersecurity, Napolitano said at a Senate
hearing.

“Sequester reductions require us to scale back the
development of critical capabilities for the defense of federal
cyber networks,” Napolitano said. “Further action is needed by
Congress including immediate action to address the sequester if
we are to meet our responsibilities.”

The secretary spoke at a hearing to examine President
Barack Obama’s executive order on cybersecurity and whether
congressional legislation is needed. The Feb. 12 order is aimed
at protecting vital computer systems that run the power grid and
air-traffic-control systems from digital sabotage.

Republicans questioned whether the government is capable of
carrying out the executive order given its own problems dealing
with computer threats.

The federal government’s record managing cybersecurity
“begs the question about them directing what the private sector
should do,” John Thune of South Dakota, the top Republican on
the Senate Commerce Committee, said at the hearing.

Government Shortcomings

The government shows persistent shortcomings in assessing
cybersecurity risks, developing programs and monitoring results
at federal agencies, Gregory Wilshusen, director of information
security issues at the Government Accountability Office, said in
testimony at the hearing. The government lacks a centralized
information-sharing system and DHS hasn’t yet developed
predictive analysis on cyber threats, he said.

Obama’s order directs the government to develop a set of
voluntary cybersecurity standards for critical industries and
increase sharing of threat information with the private sector.
It instructs federal agencies to consider making the standards
binding for critical industries they oversee.

The executive order doesn’t establish incentives for
participating in voluntary programs and a “suite of
legislation” is needed, Napolitano said.

Cyber Legislation

“While I commend the president for issuing this very
important order, there was only so much he could do using the
authorities granted to him under existing law,” Tom Carper,
chairman of the Senate Homeland Security and Governmental
Affairs Committee, said in an opening statement. “Those
authorities are simply not enough to get the job done.”

Congress can do more to encourage companies to share threat
information with each other and the government, and offer
incentives such as liability protection for critical industries
to improve defenses, said Carper, a Delaware Democrat. Lawmakers
can also modernize federal-agency security rules, boost
recruitment of cybersecurity workers, and better coordinate
research and development efforts, he said.

Carper and Senate Commerce Committee Chairman Jay
Rockefeller, a West Virginia Democrat, led today’s hearing. Both
sponsored a cybersecurity bill blocked last year by Senate
Republicans who said its proposed cybersecurity standards would
lead to burdensome regulation.

House Bill

The U.S. Chamber of Commerce and companies including AT&T
Inc. and Comcast Corp. support a bill from House Intelligence
Committee Chairman Mike Rogers that focuses solely on cyber
threat information sharing, giving legal protection for
companies that share such data with each other and the
government. Rogers, a Michigan Republican, and the intelligence
panel’s top Democrat, Representative C.A. “Dutch”
Ruppersberger of Maryland, reintroduced the measure last month.

Obama threatened to veto the Rogers bill the day before it
passed the House last year, saying the measure didn’t go far
enough to boost computer defenses and failed to protect the
privacy of sensitive consumer data.

Napolitano said the House bill has privacy “deficiencies”
and puts information sharing under the National Security Agency,
a military agency, when it should be under civilian-agency
oversight.